SpringBoot spring-security webflux static resource warning logging

This is a minor logging issue at the moment, but I'm slightly concerned that things will break eventually based on the logging.

Using spring-boot 2.2.9.RELEASE, with webflux, spring-security, and actuator, I'm getting the following warn level logging on each call to /actuator/health:

2020-08-07 11:07:46.494  WARN 93815 --- [oundedElastic-1] o.s.web.util.pattern.PathPatternParser   : '**' patterns are not supported in the middle of patterns and will be rejected in the future. Consider using '*' instead for matching a single path segment.

In production, with health checks hitting this, that's a lot of logging.

I've traced this down to the usage of PathRequest.toStaticResources().atCommonLocations() in

@Bean
    public SecurityWebFilterChain springSecurityFilterChain(@SuppressWarnings(
            "SpringJavaInjectionPointsAutowiringInspection") ServerHttpSecurity http) {
        return http
                .authorizeExchange()
                .matchers(
                        PathRequest.toStaticResources().atCommonLocations(),
                        EndpointRequest.toAnyEndpoint()
                )
                .permitAll()
                .and().build();
    }

that calls through to StaticResourceLocation enum, which has the following pattern enum: FAVICON("/**/favicon.ico");

I believe this is specific to webflux using a different PathPatternParser from webmvc, but I'm not sure. reproduction git project: https://github.com/gadamsciv/webflux-pattern steps to reproduce, run that project, and issue an actuator health request using curl: curl localhost:8080/actuator/health

note that the PathPatternParser warning logging gets emitted for each call. I've also tried this with spring-boot 2.3.2.RELEASE, and it's still happening.

Comment From: wilkinsona

Thanks for the report. This has been fixed in 2.4. I wonder if we should do something similar in 2.3.

Comment From: bclozel

This is now superseded by #23126